What's New in Group Policy Settings

Sometimes quality really is better than quantity. Remove the duplicates and Windows Server 2012 R2 and Windows 8.1 add a mere 45 new Group Policy Administrative Template settings, plus seven more for Internet Explorer 11. These numbers compare with more than 350 new settings found in the last Microsoft OS releases.

While Windows 8 and Windows Server 2012 offered more configuration options, the fewer choices in new Windows 8.1 and Windows Server 2012 R2 are perhaps more widely in demand.

Take for example the eight new settings in User Configuration | Start Menu and Taskbar. These intend to deliver the Start Menu control many of you need to overcome concerns with the look and feel of Windows 8:

Start screen layout

List desktop apps first in the Apps view

Search just apps from the Apps view

Go to the desktop instead of Start when signing in or when all the apps on a screen are closed

Prevent users from uninstalling applications from Start

Show the Apps view automatically when the user goes to Start

Show Start on the display the user is using when they press the Windows logo key

Pin Apps to Start when installed

The setting "Start screen layout" is particularly compelling. This lets you define and enforce a standard Windows 8.1 Start screen. That standard is enforced, meaning you prevent users from changing the configuration once it's set.

Start screen layouts used by this Group Policy setting are stored in XML files generated by a new Export-StartLayout Windows PowerShell cmdlet. You'll have to first manually create a layout on a reference desktop. Then run the cmdlet to generate the Group Policy setting's needed XML file.

If enforcing Start menu settings isn't your style, "Pin Apps to Start when installed" might help, but you'll have to put in some extra effort up front. Enabling this setting also requires you to supply a list of AppIDs. You'll need one per application that might possibly be installed. AppIDs can be tough to locate, but you can find examples by digging into the Export-StartLayout cmdlet's XML output.

While in previous versions of Windows Group Policy Preferences (GPPs) have been the go-to option for unique Start menu customizations, a cursory look at Windows 8.1 GPPs finds no such support for manipulating the new Start menu experience -- what a pity.

Other Settings
The Start menu isn't the sole recipient of Group Policy attention in this release. SkyDrive (or whatever Microsoft ultimately renames the service, having agreed not to fight Sky Broadcasting for the name) gets three Computer Configuration policies that limit its use as document storage:

Save documents and pictures to the local PC by default

Prevent the usage of SkyDrive for file storage

Prevent SkyDrive files from syncing over metered connections

If you're looking to control distribution of Windows updates, you'll appreciate the new Computer Configuration setting, "Do not connect to any Windows Update Internet locations." This setting ensures clients don't inadvertently grab updates from Microsoft that haven't undergone internal testing.

Search, Share, Start, Devices and Settings don't appear when the mouse is pointing to the upper-right corner of the screen

Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
Finally, the award for the oddest-named Group Policy setting to date goes to another new Windows 8 UI setting found under User Configuration:

Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X
Indeed, that menu.

These are the new Group Policy settings found in Policy Definitions of Windows 8.1 RTM.

Computer Configuration | Control Panel | Personalization

Prevent enabling the lock screen camera

Prevent enabling the lock screen slide show

Force a specific background and accent color

Force a specific Start background

Computer Configuration | Start Menu and Taskbar

Start screen layout

Pin apps to Start when installed

Computer Configuration | System | Credentials Delegation

Restrict delegation of credentials to remote servers

Computer Configuration | System | Group Policy

Configure Group Policy caching

Enable Group Policy caching for servers

Configure logon script delay

Computer Configuration | System | KDC

Request compound authentication

Computer Configuration | System | Kerberos

Always send compound authentication first

Computer Configuration | System | Net Logon | DC Locator DNS Records

Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled

Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.